Classification of traffic using NTP fails

Most likely the app classification is not accurate. But mine is? Maybe your traffic is different to mine. NTP is not NTP in most cases. There are different types of NTP. So based on the port, plenty attackers try to use the port 123 to communicate with there apps (C2 Communication). 

If your NTP is not correctly pickup, you could do a wireshark dump and check the wireshark dump, if you find anything odd looking. 

There were some issues with ThunderVPN etc. based on Port123. But not picking up NTP at all is rather new to me. 

Check the logviewer on Port123 if there is a app classification. 

I checked the logviewer and found only one device uses Network Time Protocol and that is a power controller. All other devices are not recognised as using NTP but port 123 and this includes the two Sophos APX120s, the NTP server running a specific NTP server function.

Thunder VPN has not surfaced for a couple of releases.

I did find a couple of errors in the firewall rueles which have been cleaned up. The APX that is managed by CM continually does NTP checks where as the locally managed APX does not.

Ian

I have sent you a PM with the conntrack file.

Ian

We need a pcap file. Not a screenshot of some packet capture. 

support.sophos.com/.../KB-000037007

I have added a tcpdump file in a PM to you.

I think I can maybe see the cause, the traffic is decoded as NTPv4, not NTP, so maybe a there is a need to add a couple of new classifications of NTPv4 

Ian

More analysis, shows the device that records the traffic as Network Time Protocol in logviewer is using NTPv3.

I have sent you a tcpdump of the IP4 traffic in a PM.

I have attached a screenshot of the tcpdump capturing NTP using IPv6.

Ian

Having identified the issue as being XG classifies NTPv3 but does not recognise NTPv4 what needs to be done to effect the addition of NTPv4 to the classification list?

Ian

Is your Tcpdump / pcap file with NTPv4 Traffic? 

I think it only has ntpv3, the screen capture above has ntpv4.

ian

We need a packet capture of your faulty traffic to analyze it. 

I didn’t examine the zip file I sent you in great detail. I will try again, but the device does not send ntp request very often.

ian

You could do the following: 

tcpdump -ni any port 123 -b -w /tmp/ntp.pcap & 

conntrack -E | grep 123 > /tmp/conntrack.log & 

Those commands will run until you reboot the appliance or stop them by doing a kill command: 

Use: ps | grep tcpdump    //      ps | grep conntrack

SFV6C8_AZ01_SFOS 19.0.0 GA-Build317# ps | grep tcpdump
tcpdump 6605 6394 root 11176 392 S tcpdump -ni any port 123 -b -w /tmp/test.pcap
grep 6724 6394 root 22928 2788 S grep tcpdump

Use the first number (6605) and kill it with: kill -9 6605 

Let both commands run for some time and then check again. 

You could do the following: 

tcpdump -ni any port 123 -b -w /tmp/ntp.pcap & 

conntrack -E | grep 123 > /tmp/conntrack.log & 

Those commands will run until you reboot the appliance or stop them by doing a kill command: 

Use: ps | grep tcpdump    //      ps | grep conntrack

SFV6C8_AZ01_SFOS 19.0.0 GA-Build317# ps | grep tcpdump
tcpdump 6605 6394 root 11176 392 S tcpdump -ni any port 123 -b -w /tmp/test.pcap
grep 6724 6394 root 22928 2788 S grep tcpdump

Use the first number (6605) and kill it with: kill -9 6605 

Let both commands run for some time and then check again. 

Hi,

I have tried to refine tcpdump previously only to find that the tcpdump on the XG115w has a very limited parameter range. The console port will timeout and probably kill the sessions. I will try again later today.

I have sent you a PM with the ntpv4 capture, I have not been able to capture any ntpv3 traffic becasue the device updates its time at random intervals.

Ian

I have uploaded ntpsv3.pcap.zip in a PM to you.

The XG115W is not powerful enough to run multiple console tasks, earlier the web interface crashed advising the XG was going to restart, which it didn't but all the web sessions were killed and had to be re-initiated.

Ian

Sorry without the needed data from the pcap as explained above we cannot reach out to labs to get this fixed. 

I have provided the required data from the pcap as requested. Next challenge will be to get some conntrack results.

ian

We need the conntrack and the pcap of the same connection at the same time. Labs cannot analyze the traffic from different connections. 

the requested files have been sent to you in a PM.

Ian

Can you please verify, if the categorization now works? 

Hi LuCar,

Thank you for your help and persistence with this issue. You beat me to responding. Yes it has been fixed. I had delayed updating this thread because ntp does not always appear in the daily reports.

Ian’s